</>CodeClaim

Privacy Policy

Last updated: 24 February 2025

1. Introduction

Jelifish Ltd, trading as CodeClaim ("we", "us", "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use CodeClaim ("the Service").

We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

Account Information

  • Name and email address
  • GitHub account information (username, profile data provided via OAuth)
  • Billing information (processed by Stripe; we do not store card details)

Repository Data

  • Repository metadata (name, description, language, stars)
  • Commit diffs — the changes between commits (not full source code files)
  • Commit messages and metadata (author, date, hash)

Generated Data

  • R&D classification results and scores
  • Generated report content
  • Usage analytics (features used, reports generated)

Technical Data

  • IP address and approximate location
  • Browser type and operating system
  • Session data and authentication tokens

3. How We Use Your Data

We process your data for the following purposes:

  • Service delivery (contractual necessity): Analysing your repository commits and generating R&D tax credit reports
  • Account management (contractual necessity): Maintaining your account, processing payments, and managing subscriptions
  • Service improvement (legitimate interest): Improving the accuracy of our AI classification and the quality of generated reports
  • Communication (legitimate interest): Sending service updates, security notices, and support responses
  • Legal compliance (legal obligation): Meeting our obligations under UK tax law and data protection legislation

4. AI Analysis and Code Processing

CodeClaim uses artificial intelligence (Anthropic Claude) to analyse your code commits and classify R&D activities. This is a core part of how the Service works.

What We Send to the AI

  • Commit diffs only — the changes between commits, not your full source code files
  • Commit messages and metadata
  • Repository language and framework information

What We Do Not Send to the AI

  • Full source code files or repository contents
  • Environment variables, secrets, or credentials
  • Personal data unrelated to the commit (e.g. your email)

Data Retention for AI Processing

Raw commit diffs are deleted immediately after AI analysis is complete. Only the resulting classification data and report content are retained in our systems. Anthropic does not retain your data for model training under our data processing agreement.

5. Data Retention

  • Raw commit diffs: Deleted immediately after analysis
  • Classification results and reports: Retained while your account is active, deleted within 30 days of account deletion
  • Account data: Retained while your account is active, deleted within 30 days of account deletion
  • Billing records: Retained for 7 years as required by UK tax law
  • Server logs: Retained for 90 days

6. Data Sharing and Sub-Processors

We share your data with the following third-party sub-processors, each of which is bound by a data processing agreement:

ProviderPurposeData ProcessedLocation
AnthropicAI-powered code analysis and R&D classificationCommit diffs (not full source code)United States
Amazon Web Services (AWS)Cloud infrastructure, data storage, and computeAll application dataEU (London, eu-west-2)
StripePayment processingBilling information, email addressUnited States (EU SCCs)
GitHubOAuth authentication, repository accessAccount information, repository dataUnited States (EU SCCs)

We do not sell your personal data to third parties. We do not share your data with any parties other than those listed above.

7. International Data Transfers

Some of our sub-processors are based outside the UK. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
  • Data processing agreements with all sub-processors
  • UK adequacy decisions where applicable

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate personal data
  • Right to erasure: Request deletion of all your personal data. You can do this through your account settings or by contacting us. We will delete your data within 30 days, except where retention is required by law
  • Right to restrict processing: Request that we limit how we use your data
  • Right to data portability: Request your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests

To exercise any of these rights, contact us at hello@jelifish.co.uk. We will respond within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS) and at rest (AES-256)
  • Access controls and authentication
  • Regular security reviews
  • Minimal data collection and retention

10. Cookies

We use only essential cookies required for the Service to function. See our Cookie Policy for details.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The "last updated" date at the top indicates when this policy was last revised.

12. Contact

If you have questions about this Privacy Policy or how we handle your data, contact us at hello@jelifish.co.uk.